Application Security , Incident & Breach Response , Managed Detection & Response (MDR)
Under Armour Reports Massive Breach of MyFitnessPal App
150 Million Accounts Exposed; Could Phishing Campaign Be Coming?Athletic apparel maker Under Armour says an unauthorized intruder gained access to information, including hashed passwords, for the accounts of 150 million users of its MyFitnessPal mobile app and website.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
While the exposed passwords were protected by the strong hashing algorithm bcrypt, other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing. That means it's more at risk of being decoded and used to fuel phishing campaigns.
In a statement, the company says it became aware on March 25 that during February, an unauthorized party acquired data associated with the company's MyFitnessPal user accounts.
MyFitnessPal is a free smartphone app and website that enables users to track diet and exercise to help with weight loss.
"The affected data did not include government-issued identifiers - such as Social Security numbers and driver's license numbers - because we don't collect that information from users. Payment card data was not affected because it is collected and processed separately," the company says.
The identity of the intruder remains unknown, Under Armour reports.
A majority of the passwords exposed were protected "with the hashing function called bcrypt," the company says. Bcrypt is a password hashing mechanism that incorporates security features, including multiple rounds of computation, to provide advanced protection against password cracking, the company explains.
Hard to Crack?
Indeed, Bcrypt is known for being a particularly difficult encryption algorithm to crack, says John Nye, senior director of cybersecurity research at consulting firm CynergisTek.
"It was specifically designed to be more secure than previously used mechanisms - such as a salted SHA-256 hash - using a method called key strengthening, which makes the passwords more secure against what is knowns as a 'brute force' attack," he says.
"Brute forcing a password hash essentially means taking every possible password, encoding it and comparing it to the hash that was stolen. So, in short, there is little chance the attackers will attempt to decode all of these passwords and if they did cracking them would be quite an undertaking."
Opening Door to Phishing
Unfortunately, other exposed MyFitnessPal account data, including usernames and email addresses, was protected by the much weaker SHA-1, a 160-bit hashing function.
"The non-password data that was taken, should be considered freely accessibly," Nye says. "SHA-1 is not a very strong encryption mechanism, and the email addresses and usernames are likely more valuable to the attackers as mailing lists to use for phishing campaigns."
The attackers, Nye notes, "have a list of 150 million users that they know use MyFitnessPal and now have the perfect pretext to get them to hand over their passwords," he says.
"It would be surprising if we did not see a large phishing campaign directed specifically at these users. They will be expecting messages from MyFitnessPal and will be far more likely to click on fraudulent emails purporting to be from MyFitnessPal."
Investigation Continues
Under Armour says it's requiring MyFitnessPal users change their passwords.
The company says it's working with data security firms in the investigation and has notified law enforcement of the incident.
It also says it's continuing to monitor for suspicious activity and "make enhancements to our systems to detect and prevent unauthorized access to user information."
Lessons to Learn
So what lessons should other entities learn from the Under Armour incident?
Nye says the company was smart to keep payment information completely separate from other data and to not request or store Social Security numbers.
"There are a lot of organizations that could stand to learn a lesson in how well they kept their data compartmentalized so that a breach of 150 million accounts only caused the loss of relatively innocuous data."
Mobile health applications sold directly to consumers generally do not fall under the regulatory umbrella of HIPAA. However, some regulators, including New York state's attorney general, have taken enforcement action against mobile health application vendors in cases involving privacy issues (see NY Deals With App Vendors Could Fuel More Privacy Actions).